Bug 1462823
Summary: | [DOCS] AWS configuration does not describe how to use IAM Roles | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> | |
Component: | Documentation | Assignee: | Gaurav Nelson <gnelson> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jianwei Hou <jhou> | |
Severity: | urgent | Docs Contact: | Vikram Goyal <vigoyal> | |
Priority: | unspecified | |||
Version: | 3.4.0 | CC: | aos-bugs, erich, jokerman, mmccomas, rcook | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1467508 (view as bug list) | Environment: | ||
Last Closed: | 2018-03-07 01:08:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1467508 |
Description
Steven Walter
2017-06-19 15:53:08 UTC
So IAM roles must exist before launching the instances. The cloudformation configuration for creating the IAM role is: "NodePolicy": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "node-describe", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "*" } ] } } ] } }, "MasterPolicy": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "master-ec2-all", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "elasticloadbalancing:*" ], "Resource": "*" } ] } } ] } }, "MasterInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "DependsOn": "MasterPolicy", "Properties": { "Roles": [ { "Ref": "MasterPolicy" } ] } }, "NodeInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "DependsOn": "NodePolicy", "Properties": { "Roles": [ { "Ref": "NodePolicy" } ] } }, Is there anything you need to do on the openshift side? What do you put into aws.conf? On the openshift side all you need to provide is openshift_cloudprovider_kind: aws the installation will place an empty file in the location of the aws.conf and pass successfully Updated the example in the docs to include this information. See https://github.com/openshift/openshift-docs/pull/4645 Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/32eaf45f2126dcaadffd9a3c9e613c9ec1b72463 Merge pull request #4645 from gaurav-nelson/Bug1462823Fixes Bug#1462823 - Fixes 1. Is there a configuration option to override the expected name of the roles to assume? For example, is there a way in Openshift to not expect the default role names, but use an attribute named "RoleName" in the cloudformation configuration to specify the generated role name? Something like: ADFSAgencyNetworkAdministratorsRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: !Sub - "arn:aws:iam::${accountId}:saml-provider/ADFS" - accountId: !Ref "AWS::AccountId" Action: - "sts:AssumeRoleWithSAML" Condition: StringEquals: SAML:aud: - "https://signin.aws.amazon.com/saml" RoleName: "ADFS-AgencyNetworkAdministratorsRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess" - "arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess" 2. Can we be more precise in granting privileges. The ec2:* in the example you give may be a problem. If I need to set aws as the cloud provider but all I need is to dynamically assign Elastic Block Storage for persistent volumes, can I change ec2:* to a smaller list of permissions? Updates are now live at https://docs.openshift.com/container-platform/3.5/install_config/configuring_aws.html Cloned this bug. To address the last comment please see https://bugzilla.redhat.com/show_bug.cgi?id=1467508. Based on https://bugzilla.redhat.com/show_bug.cgi?id=1452816#c21 this looks like this should not have been closed / completed. @Eric, Bug was about: > In the docs it says: "Note: IAM profiles may be used instead of storing API > credentials on disk." however there is no description as to what process to > take. This was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c6 and that is why the bug was closed. Then there was a follow up question https://bugzilla.redhat.com/show_bug.cgi?id=1462823#c9 which was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1467508 The updates in https://docs.openshift.com/container-platform/3.7/install_config/configuring_aws.html addresses all issues. |